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Introduction 


The purpose of this Guide is to provide suggested lines of enquiry to staff in institutions which fali under 
the Municipal Freedom of Information and Protection of Privacy Act, 1989 (“MFOIPPA” or the “Act”). 
Specifically, it is geared to auditors and other employees who have responsibility to ensure that the 
legislative requirements of MFOIPPA are complied within their respective institutions. This Guide is very 
similar to the one prepared for those institutions which come under the Provincial Freedom of 
Information and Protection of Privacy Act. The Provincial Audit Guide was designed specifically tp 
provide suggested lines of enquiry for ministry internal auditors which they might follow in approaching 
an audit of compliance with the Provincial Freedom of Information and Protection of Privacy Act. 


This Guide, while geared toward the audit community, will be useful in those institutions which do not 
have an auditor(s) on staff but have an employee charged with ensuring that their institution meets the 
legislative requirements of MFOIPPA. 


The Guide does not go into the specifics of conducting an audit, but concentrates instead on identifying 
criteria and lines of enquiry that would be useful in assessing relevant controls and practices as they 
pertain to access and privacy matters in the local institution. 


Based on the requirements of the specific audit or review and the institution’s established auditing 
practice, it is the responsibility of the auditor or the person charged with the responsibility of ensuring 
compliance with the Act within the institution, to develop the general direction given in this Guide into a 
detailed review. In doing so, s/he must decide the extent to which the various criteria and objectives 
are appropriate to the program under review. 


Background 
ile Highlights of MFOIPPA 
° Legislation 


MFOIPPA incorporates the principles of freedom of information and protection of 
individual privacy into a single Act. This Act, which came into effect on January 1, 
1991, applies to all institutions noted in section 2(1)(a) of the Act. An institution is: 


(a) a municipal corporation, including a metropolitan, district or regional municipality 
or the County of Oxford, 


(b) a school board, public utilities commission, hydro electric commission, transit 
commission, suburban roads commission, public library boards, board of health, 
police commission, conservation authority, district welfare administration board, 
local services board, planning board, local roads board, police village or joint 
committee of management or joint board of management established under the 
Municipal Act. 


(c) any agency, board, commission, corporation or other body designated as an 
institution in the regulations; ("institution"). 
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Purpose 


The Act provides individuals with a legal right of access to certain records and personal 
information under the control of institutions covered by the legislation. 


The purposes of the Act are as follows: 


(a) to provide a right of access to information under the control of institutions in 
accordance with the principles that: 


_ information held by institutions should be available to the public, 


— necessary exemptions from this general right of access should be limited 
and specific, and 


decisions on the disclosure of government information should be 
reviewed independently. 


(b) to protect the privacy of individuals with respect to personal information about 
themselves held by institutions, and to provide individuals with a right of access 
to that information. 

Organization of the Act 

The Act is divided into five parts, as follows: 

Part |: Freedom of Information: Access to Records 
This concerns the right of access, the exemptions to that right, access 
procedures and the information to be published or available to assist in locating 
information. 

Part Il: Protection of Individual Privacy 
This concerns the collection, use, disclosure, retention and disposal of personal 
information and personal information banks. An individual’s right of access to 
personal information and to correction of that information is considered. 

Part lil: Appeal 
This addresses the right to, and the process of, appeal. 

Part IV: General 
This covers general matters including fees, offenses, regulations and the powers 


and duties of the Information and Privacy Commissioner / Ontario. 


Scope 
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As of January 1, 1991, MFOIPPA extended freedom of information and privacy 
principles to more than 2,500 local institutions, municipal corporations, school boards, 
public utility commissions, hydro-electric commissions, transit and police commissions, 
conservation authorities, boards of health and other local boards. 


The Act applies to any record in the custody, or under the control, of an institution, 
whether it was produced before or after the Act came into force. 


The Act does not apply to: 


= records placed in the archives of an institution by or on behalf of a 
person or organization other than the institution. 


This Act prevails over a confidentiality provision in any other act unless the other act or 
this Act specifically provides otherwise. The following confidentiality provisions prevail 
over this Act: 


i) Section 90 of the Municipal Elections Acts; 


ii) Subsection 57(1 ) of the Assessment Act. 


Ze Key Players in the Administration of the Act 


The administrative requirements relate to the following general areas: 


e responding to requests for access to records; 
e protecting personal privacy; 
e providing specific information to the Information and_ Privacy 


Commissioner / Ontario and the Responsible Minister; and 
e making information available to the public. 
The key players to meet these administrative requirements are the Responsible Minister, the 
Information and Privacy Commissioner/ Ontario, the Head of the Institution, and the Freedom of 
Information and Protection of Privacy Co-ordinator. 


Responsible Minister 


The Responsible Minister, who is the Chair of Management Board of Cabinet, administers the 
Act. Duties include: 


_ publish annually the Directory of Institutions, a compilation of all provincial and municipal 
institutions; 


— prescribe forms and prepare training packages and other products to support the 
implementation of the Act; 


— approve, where appropriate, requests for waivers of notices; 
_ issue directives and regulations. 
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The Information and Privacy Commissioner / Ontario (the "Commissioner") 


The Commissioner, appointed by the Lieutenant Governor-in-Council, is an officer of the 
Legislature. 


lf an affected individual — including a third party — disagrees with a decision relating to the 
disclosure of a record or with respect to access matters, the Commissioner may be asked to 
review the decision [section 39]. 
The Commissioner is charged with reviewing and determining whether or not the record falls 
within one of the categories of exemptions and exceptions. The Commissioner makes an 
independent determination on these matters and makes a binding order accordingly. 
The Commissioner has the right to inspect the record [section 41(4)], examine witnesses under 
oath [subsection 41(8)] and hear representations without other parties present [subsection 
41(13)]. 
The Commissioner may also order the institution to cease an information collection practice and 
destroy collections of personal information if, after a hearing, they are found to contravene the 
Act [subsection 46(b)]. 

The Head of the Institution (the "Head”") 


The Head is responsible for decisions made under the legislation on behalf of the institution and 
for overseeing the administration of the legisiation within the institution. 


A council or board can designate from among its members an individual or committee to be the 
Head [section 3]. Once the Head has been determined, the powers or duties of the Head can be 
delegated to an officer or officers of the institution . 


Responsibilities of the Head 


The legislation places certain administrative and reporting requirements on Heads of institutions. 
These include: 


— adhering to time limits and notification requirements; 


— considering representations from third parties who may be affected by the disclosure of 
records; 


— making decisions regarding the disclosure of records, and responding to access requests; 
- determining the method of disclosing records; 
— responding to requests for correction of personal information; 


— calculating and collecting fees; 
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_ preparing and making available descriptions of the general types of records and personal 
information banks maintained by an institution; 


_ where necessary, defending decisions made under the Act at an appeal; 
- administering the privacy protection provisions of the legislation; 
— filing an annual report with the Commissioner, as required by section 26. 


Once the council or board has determined the Head for the purposes of the Act, the Head may 
choose to delegate some or all of the Head’s powers and duties under the Act. However, even 
if the powers or duties are delegated, the Head remains accountable for actions taken and 
decisions made under the Act. 


The Head may delegate the powers and duties in writing to an officer or officers of the 
institution or of another institution [section 49(1)]. The delegation would usually be to a 
position, rather than to a named individual. The document that sets out the delegation should 
make clear the duties and functions being delegated. The Head may place limitations, 
restrictions, conditions or requirements on the delegation. 


Section 3(2) of the legislation states that the members elected or appointed to the board, 
commission or other body that is an institution other than a municipal corporation may designate 
in writing, from among themselves, an individual or a committee of the body to act as Head for 
the purposes of this Act. Section 3(3) goes on to state that if no person is designated as Head 
under this section, the Head shall be the members elected or appointed to the board, commission 
or other body. 


Freedom of Information and Privacy Co-ordinator (the "Co-ordinator") 
Each institution designates a Co-ordinator responsible for the co-ordination of activities related to 


the legislation. 


The role and the responsibilities assigned to the Co-ordinator will vary according to the size and 
organization of the institution. Although the specific duties will vary considerably from institution 
to institution, the responsibilities of the Coordinator may include coordination in the following 
areas: 

_ developing policy recommendations on issues related to the legislation; 

_ developing and monitoring procedures for the administration of the Act; 


= providing orientation and training to staff; 


_ consulting with line and senior management and other staff on the interpretation and 
administration of the legislation; 


- making decisions or assisting in the decision-making process on requests under the Act 
(on the delegated authority of the Head) and appeals; 


3 Impact of Non-Compliance 


MFOIPPA is a clear and strong statement by the Government of Ontario of its commitment to 
open and accessible government and its respect of, and commitment to, the protection of an 
individual’s privacy. Non-compliance with this Act would be a fundamental disregard and 
rejection of these core values. 


Non-compliance, in addition to its major contradiction to government policy, could result in the 
failure to honour the privacy of individuals, endanger the security of confidential documents, 
encourage poor records management and violate commitments and legal obligations to other 
levels of governments as well as contravene contractual agreements with the private sector. 


4. Offenses 
Section 48 outlines offences under the Act and the penalty for offences. 
It is an offence to wilfully disclose personal information in contravention of the Act [subsection 


48(1)(a)]. This offence consists of intentionally and knowingly disclosing personal information in 
a manner that is not authorized by section 32 of the Act. 


« bygittzed by the Internet Archive 
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— wilfully maintain a personal information bank 9. contravenes this Act [section 


48(1)(b)]; University of Toronto 


make a request under this Act access to or correction of personal information under 
false pretences [section 48(1 ) (c)]; 


_ wilfully obstruct the Commissioner in the performance of his or her functions under this 
Act [section 48(1)(d)]; 


-- wilfully make a false statement to mislead or attempt to misiead the Commissioner in the 
performance of his or her functions under this Act [section 48(1)(e)]; or 


— wilfully fail to comply with an order of the Commissioner [section 48(1 )(f)]. 


Section 48(2) states that every person who contravenes section 48(1) is guilty of an offence 
and on conviction is liable to a fine not exceeding $5,000. 


it is an offence to make a request for access to or correction of personal information under false 
pretences. 


Sections 48(1)(d), (e) and (f) create offences relating to the obstruction of the Commissioner in 
the carrying out of his or her duties or exercising his or her powers. A prosecution cannot be 
commenced under sections 48(1}(d), (e) or (f) without the consent of the Attorney General 
[section 48(3)]. 
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Structural Elements of Freedom of Information and Protection of Privacy 
Prior to undertaking any audit or review of MFOIPPA in an institution, it is necessary to 
understand what components make up the service framework (i.e., the people and structure 
involved in meeting the requirements of MFOIPPA). 


Therefore, the following should be present: 


e Internal MFOIPPA policies. 
° Internal operational procedures to meet these policies. 
e A process for monitoring and reporting the activities surrounding MFOIPPA to the Head 


or the delegated Head of the institution. 
e Appointment of a MFOIPPA co-ordinator. 


° Establishment of a MFOIPPA network within the institution based on the internal policies 
and procedures, where the size of the institution warrants such a network. 


Audit / Review Objectives 


To review and report on the management processes and practices in place to maintain and 
monitor MFOIPPA in the institution. 


To ascertain whether access provisions are provided by institutions according to the 
requirements of MFOIPPA. 


To ascertain that the privacy requirements of MFOIPPA are met. 
Information Sources 

There are a variety of information sources for review. The size and structure of the local 
institution will be significant in terms of whether or not some or ail of the following tools are 
available. Examples include the institution’s implementation plan; delegation of authority 
statements; compliance plans; records management procedures; policy directives, guidelines 
and procedure manuals; memoranda to management; human resources planning, related 
tracking systems; briefing notes and issue papers; and the institution’s operational plans. 


References / Authoritative Sources 


Prior to conducting an audit or review, the team should be familiar with legislation and 
authoritative sources relevant to the provision of MFOIPPA by the institution. 


Suggested sources are: 


° Acts governing local institutions, e.g. the Municipal Act, the Planning Act Publications 
from Management Board Secretariat; 


e Handbook for Municipalities and Local Boards; 


° An Annotation (produced by Management Board Secretariat); 
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° Regulations and Guidelines for Municipalities and Local Boards; 
= Annual Reports publication from the office of the Commissioner; 
° Newsletters, seman of privacy reports; 

° Directory of Institutions. 


Summary of Criteria 
Criteria are major standards of performance established by the legislation regulations and 
guidelines for municipalities and local boards. Lines of enquiry are suggested controls/practices 
that will assist in ensuring that the standards are being met. 
Reviewing these lines of enquiry will assist the auditor in determining whether there is 
appropriate assurance that the legislation, regulations and guidelines are being complied with, 
and to conduct sufficient tests to ensure that the following controls are in place and are 
working: 

1. Management Processes 


Corporate Strategy 


The institution has incorporated the requirements of MFOIPPA into its corporate strategic 
planning. 


Planning 


There is an operational planning process for meeting the requirements of MFOIPPA, 
which is linked to organizational and corporate strategies and priorities . 


Responsibility and Authority 


Delegated authority has been established commensurate with responsibilities and 
accountability. 


Training 


Information necessary for the effective implementation of MFOIPPA has been 
disseminated . 


Operational Monitoring and Control 


There is a system in place which monitors and controls operational performance results, 
identifies variances and reforecasts performance targets. 


Evaluation 


There are clear and measurable indicators and targets against which the MFOIPPA 
program and services are evaluated. 
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Reporting 


There is a reporting mechanism in place which provides financial, statistical and 
operational information to meet the requirements of the institution’s management. 


2. Legislative Requirements 
A — Freedom of Information 
Obligation to Disclose 


The Head discloses a record that reveals a grave environmental health or safety 
hazard to the public and where it is in the public interest to do so. 


Access Process 


The Head has ensured that the legislated right of access to a record in the 
custody or under the contro! of the institution is met. 


Availability of Information 


Provision has been made for the public to review the information to which 
access has been granted. 


Security 


There is a process established to ensure the security of the institution’s records 
when access is provided. 


Fees 


Institutions charge fees which are reasonable and fair. 


B — Protection of Individual Privacy 
Collection of Personal Information 


Policies and procedures are in place to ensure that the institution’s staff collect 
personal information in accordance with legislative requirements. 


Personal Information Banks 


There is a system to identify personal information, record its use and report this 
information as required. 


Use of Personal Information 


The institution's use of personal information has respected the individual’s 
privacy and right to know how the information is being used. 
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Disclosure of Personal Information 


There are controls to ensure that the disclosure of personal information meets 
the legislative conditions. 


Retention of Records 


The institution has record-keeping systems that efficiently maintain and retrieve 
information. 


Accuracy of Records 


There is a process to ensure that records concerning personal information are 
accurate. 


Correction to Records 


Individuals having access to their personal information have the opportunity to 
record corrections to, or disagreements with that information . 


Disposal of Records 
There are processes in place to ensure efficient and prompt disposal of records 


when their administrative, legal and fiscal value has ceased, in accordance with 
retention schedules. 


Criteria and Lines of Enquiry 
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Management Processes 


Corporate Strategy 


Criterion: 


The institution has incorporated the requirements of MFOIPPA into its corporate 
strategic planning. 


Lines of Enquiry: 


a) MFOIPPA is a consideration in the strategic planning process. 

b) The corporate publications, internal and external, include references to 
MFOIPPA. 

c) The institution's documentation and forms include notification as 


required by MFOIPPA (i.e., forms relating to application for employment, 
application for continuing education courses, grant/loan applications). 
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d) Orientation packages/programs for new staff include material on 
MFOIPPA which clearly enunciates the institution’s commitment to it 
and adoption of its requirements. 

e) There is a process to ensure that all briefing and issue documents have 
been reviewed for MFOIPPA concerns prior to submission to the head, 
senior management and/or the council of governing body. 

Planning 
Criterion: 

There is an operational planning process for meeting the requirements of 

MFOIPPA, which is linked to organizationa! and corporate strategies and 

priorities . 


Lines of Enquiries: 


a) The planning process results in a statement of measurable and realistic 
MFOIPPA goals and objectives, performance targets and time frames. 


b) Responsibility for the MFOIPPA component of operational plans and 
expenditure contro! is clearly assigned. 


Cc) There is an appropriate designation of responsibilities within the 
institution to meet the requirements of MFOIPPA. 


d) Operational plans and budgets are initiated well in advance of the 
current fiscal year. 


e) Operations are governed by policies and procedures which are 
adequately documented, approved by senior management, and the 
Council or Board, and communicated to staff. 

f) Plans and resources are sufficiently flexible and viable to allow for in- 
year amendments to by-laws, directives or courses of action requested 
by IPCO and MSB. 

Responsibility and Authority 


Criterion: 


Delegated authority has been established commensurate with responsibilities and 
accountability. 


Lines of Enquiry: 


a) Delegated powers and duties of the Head are documented by a signed 
delegation of authority and are in accordance with MFOIPPA. 
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b) 


Cc) 


d) 


e) 


Training 


Criterion: 
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A Co-ordinator for freedom of information and privacy matters has been 
designated and appointed, and integrated into the institution. 


Reporting relationships are defined in an organization chart, and 
accountability is documented, communicated and adopted. 


Roles and responsibilities of staff with MFOIPPA responsibilities are 
clearly defined, understood and documented. 


The range of authorities (financial, administrative, program) has been 
established in writing by senior management and communicated to the 
Co-ordinator and, as appropriate, line staff with specifically assigned 
MFOIPPA responsibilities. 


Information necessary for the effective implementation of MFOIPPA has been 
disseminated. 


Lines of Enquiry: 


a) 


b) 


Cc) 


d) 


MFOIPPA manuals and/or procedures are available to staff. 


Training and orientation plans for staff have been developed as part of 
the annual operational plan, and take into account staff turnover and 
reassignment. 


Staff training has been provided to foster understanding of the 
requirements of MFOIPPA, directive and manual, and addresses the 
consistent application of these requirements. 


General information on MFOIPPA is provided to staff in a documented 
form that is easy to read and understand. 


Operational Monitoring and Control 


Criterion: 


There is a system in place which monitors and controls MFOIPPA operational 
performance results, identifies variances and reforecasts performance targets. 


Lines of Enquiry: 


a) 


b) 


The progress and effectiveness of the operational plans are monitored 
regularly. 


Significant variances have been explained and planned corrective action 
indicated if necessary. 
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Cc) Current statistics on the volume of work and the accomplishment of 
program are maintained for planning purposes . 


d) Channels of communication are in place to ensure the effective sharing 
of information among key players. 


e) Periodic reviews are undertaken to determine compliance with FOIPPA. 


Evaluation 
Criterion: 


There are clear and measurable indicators and targets against which the 
MFOIPPA program and services are evaluated. 


Lines of Enquiry: 


a) There is a periodic review by the program staff to determine if objectives 
are being achieved. 


b) Issues included in the evaluation are: 
_ program impact and effect; 
_ objectives achievement; and 
_ alternatives. 


Cc) The mandate and program objectives are relevant and related to the 
institution strategic and operational priorities. 


d) Results of evaluations are used to make decisions on program design 
and implementation within the institution. 


e) Program evaluation is built into the annual workplan. 


Reporting 
Criterion: 
There is a reporting mechanism in place which provides financial, statistical and 
Operational information to meet the requirements of senior institution 
management and the central agencies. 
Lines of Enquiry: 
a) There is a reporting process to ensure that information provided to the 


Council or Board, and senior management is timely, accurate, relevant 
and complete. 
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b) 


c) 
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Progress in achieving operationa! plans is reported to senior management 
through operational control reporting. 


An annual report has been submitted to the Commissioner outlining: 
_ the number of access requests received; 


the number of requests refused, and under what provision, and 
the number of times each provision used; 


— the number of uses or purposes for which personal information 
is disclosed if the use or purpose is not included in the 
statements of uses and purposes written by the institution; 


_ the number of times personal information used/disclosed for a 
purpose not in the Statement of regular uses; 


_ the amount of fees collected; and 


_ other information as required. 


Pap Legislative Requirements 


Part A — Freedom of Information 


Obligation to Disclose 


Criterion: 


The institution responds to the public’s right to be informed of information in an 
institution record relating to grave environmental, health or safety hazard. 


Lines of Enquiry: 


a) 


b) 


Cc) 


If a record reveals grave environmental health or safety hazard to the 
public, the Head has disclosed as soon as practical this information to 
the public or to the person affected and this disclosure has been 
documented in the file. 


Prior to disclosing a record under this section, there is evidence that 
notice has been given to any person to whom the information in the 
record relates, if it is practicable to do so. 


The notice contains: 


— a statement that the Head intends to release a record/part of a 
record that may affect the interests of the person; 


=_ a description of the contents of the record/part of the record 
that relate to the person; and 
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d) 


e) 


f) 


Access Process 


Criterion: 
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- the statement that representation of appeal will be considered 
by the Head. 


If the situation is urgent, the giving of notice has been expedited (e.g., 
by telephone or fax) . 


if notice has not been given, the reason has been documented. 


lf representations concerning why the record should not be disclosed 
have been made to the Head, there is evidence that the Head has 
considered the reasons presented and the decision subsequently made 
has been documented. 


The Head has ensured that the legislated right of access to a record in the 
custody or under the control of the institution is met. 


Lines of Enquiry: 


a) 


b) 


c) 


d) 


e) 


There are policies and procedures outlining staff's responsibilities in the 
access process. 


Requests for access to information have been submitted in writing or, if 
submitted orally, have been documented. 


There is a monitoring system in place to record the date the request was 
received, the staff person to whom it was forwarded for attention, the 
decision-making individual, action taken on the request, and the time 
required to deal with the request. 


If a request is not clear or understood by the institution, there is 
evidence that the institution has offered the requester assistance in 
redrafting the request. 


Within thirty days of the request being received by the institution: 


— the requester has been notified whether or not the request will 
be granted; 


— interim (or final) decision about fee to be charged if fee is 
estimated to be over $25; 


_ if third parties are involved, they have been contacted, as has 
the requester; 


_ if there is an extension, that the requester has been notified and 
advised of the right to appeal this decision; and 
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Exemptions 


f) 


g) 
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- access to the record is provided if there are no extensions or 
referrals to third parties. 


There is a process in place to ensure that records subject to an access 
request have been reviewed for possible grounds for exemption prior to 
disclosure. 


Any refusal to permit access based on an exemption has been 
documented in the file(s). 


Extended Request 


h) 


Severance 


i) 


k) 


lf the requester has specified that the request continue to have effect 
for an extended period of time (up to two years), the institution has 
provided the requester with: 


~ a schedule showing dates during that period when the request 
will be activated; 


-- why these dates were selected; and 


~ notification that the schedule may be reviewed by the 
Commissioner on request. 


There is a mechanism to ensure that the schedule for an extended 
request is met. 


Where part of a record is severed prior to access being granted, a copy 
of the severed report has been retained on file and the section used for 
the severing has been recorded. 


Where part of a record has been severed, the requester has been 
notified that: 


_ a statement that the record exists; 


— the specific provision of the Act under which access is refused, 
and the reason the provision applies; 


_ the name and position of the person responsible for the 
decision; and 


— the requester may ask the Commissioner to review the decision 
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Notice 


m) 
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Each decision made during the course of processing the request for 
access, and the section of the Act under which the decisions were 
made, are documented, and evidence that the requester has been 
notified is in the file. 


If the search has been narrowed based on interpretation of the request, 
the requester has been advised accordingly. 


Second Institution 


n) Where the record is in the control of, or of greater interest to, a second 
institution, within 15 days of receipt of the request the Head has: 

— forwarded the request to the second institution; and 

a notified the requester. 

Extended Time Limit , 
0) If the time limit was extended, one of the two following conditions 
existed: 

— the request was for a large number of records, or necessitated 
search through a large number of records and meeting the time 
limit would have unreasonably interfered with institution 
operations; or 

~~ consultations outside of the institution necessary to the request 
could not be completed within the time limit. 

p) When the time limit has been extended, the requester was sent a notice 
of the extension outlining: 

— length of the extension; 

_ reason for the extension; and 

- the requester may ask the Commissioner to review the 
extension 

Third Party 
q) Where third party notice is required, it has been issued within 30 days 


of receipt of the request, and includes: 


= a statement that the Head is considering the release of 
information that may affect the interests of the third party; 


= a description of the relevant information; and 
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r) 


s) 


t) 


u) 


v) 
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- a statement that the person may, within 20 days of the receipt 
of this correspondence, make representation to the Head as to 
why the record should not be disclosed. 


When third party notice has been released, notification has been given 
to the requester at the same time outlining: 


— the record (or part of it) that may affect the third party; 


_ that the third party is being given the opportunity to make 
representations concerning the disclosure; and 


_ a decision will be made within 30 days. 


When third party notice has been released, the Head has documented 
that: 


_ the record may contain information that affects the interests of 
the third party; or 


— the record may contain personal information that the Head 
believes would constitute an unjustified invasion of personal 
privacy if disclosed. 

When third party notice has been given, the decision on disclosure of 

the information is made no sooner than 21 days after the notice has 

been received by the third party, or the day the third party responds. 


The decision to disclose is communicated to both the requester and the 
third party, and outlines: 


= the decision made; 


— the third party may appeal the decision to the Commissioner 
within 30 days; and 


— after 30 days, if there is no appeal, the requester will be given 
access to the information and this date is clearly specified . 


Or, the decision to refuse disclosure is communicated to both the 
requester and the third party, and outlines: 


_ the provision of the Act under which access is refused; 
— the reason this provision applies; 


~ the name and office of the person responsible for the decision; 
and 


= the requester’s right to appeal to the Commissioner for a review 
of the decision. 
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Personal Information 


w) Personal information has been provided to the requester in a 
comprehensible form. 


x) There is evidence in the file that a copy of the personal information has 
been provided to the requester in response to his/her request. 


Availability of Information 


Criterion: 


Provision has been made for the public to review the information to which access has 
been granted 


Lines of Enquiry: 


a) The institution has designated a reading room, library or office in which the 
public may review institution material. 

b) This reading room is clearly marked, can be readily located and its location is 
specified in the institution’s publications. 

c) The reading room contains: 
— the institution's manuals, guidelines and directives relating to the 

institution’s programs; 

= the institution’s annual report to the Commissioner; 
= index of all personal information banks held in the institution; 
— listing of all institutions; and 
_ other material as required by the legislation. 

d) Where any deletion has been made from the documents in the reading area, 
there is: 
— notification of the deletion; 
_ a statement of the nature of the deleted material; and 
— the section of MFOIPPA under which the deletion was made. 

Security 
Criterion: 


There is a process established to ensure the security of the institution’s records. 
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Lines of Enquiry: 


a) 


b) 


c) 


d) 


e) 


f) 


There are policies and procedures concerning authorized and 
unauthorized access to records and inadvertent destruction or damage, 
which are documented and circulated to staff. 

When a person seeks access to his/her own personal information, prior 
to granting access, the person’s identification has been verified, and this 
fact is noted in the relevant file(s). 


Original records do not leave the premises of the institution without 
appropriate measures to ensure security. 


Records are available only to those staff requiring them for the 
performance of their duties. 


Prior to disclosing personal information fora research purpose, the 
institution has entered into an agreement with the researcher which 
covers: 

— the use of the information, with confidentiality ensured; 

_ the name of others to whom the information will be disclosed 
and the agreement to be reached with them regarding 
confidentiality; 

— the physical security of the information; 


— the removal of individual identifiers; 


— the contacting of individuals to whom the information relates; 
and 


notification of any breach of the conditions if it occurs. 

There are policies and procedures relating to security of records on an 
ongoing basis, including the following: 

- locking of cabinets; 

- maintaining a "clean desk"; 

— keeping confidential documents in a secure area; 

— restricted access to office and record storage areas; and 


= computer access controls. 
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Fees 


Criterion: 


adits 


Institutions charge fees which are reasonable and fair. 


Lines of Enquiry: 


a) 


b) 


c) 


d) 


e) 


f) 


9) 


Where fees have been waived, there is evidence documented in the files of: 

_ financial hardship; 

_ involvement of public health or safety; 

_ personal information relating to the requester; 

— the amount of payment is too small to justify payment (under $5); and 


— the extent to which the actual cost has varied from the amount of 
payment. 


Where the cost is over $25, the requester has been given the estimate prior to 
access. 


Where the requester has been asked to pay a deposit of 50% of the estimate, 
the estimate is over $25 (pre-1991 figure was $50). 


When a fee has been charged for access to a record or for correction of a 
record, costs relate to: 


= search charge for time over two hours; 
— preparing the record for disclosure; photocopying; 
_ floppy disks; shipping; developing a computer program; and 


_ locating, retrieving, processing and copying the record if the institution 
is invoiced for these costs. 


Where appropriate, the Head has used discretion in consideration of fees 
(including waiving of fees). 


Where the institution has provided a copy of an original record to a site other 
than where the record is kept, for the requester’s review, costs of copying and 
forwarding the record have not been charged to the requester. 


There is a mechanism to ensure fees collected by ministries and Schedule 1 
agencies have been deposited in the Consolidated Revenue Fund. 


o dollar value reflects 1991 regulations. Fee schedule should be consulted 
for any subsequent changes. 
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Part B — Protection of Individual Privacy 


Collection of Personal Information 


Criterion: 


Policies and procedures are in place to ensure that institution staff collect 
personal information in accordance with legislative requirements. 


Lines of Enquiry: 


a) 


b) 


c) 


d) 


Personal information collected has been authorized by statute, or is used 
for law enforcement purposes, or is necessary for the administration of 
a lawfully authorized activity. 


Personal information has been collected directly from the individual 
whenever possible. 


Where the personal information has been collected from a source other 
than the individual, there is evidence of one of the following: 


— the individual has authorized another manner of collection, and 
this authorization has been documented; 


— the personal information has been disclosed by another 
institution; 


~ the personal information is in a report submitted in accordance 
with the Consumer Reporting Act; 


- the personal information is collected to determine Suitability for 
an honour/award; 


— the personal information is collected for a possible 
court/judicial/quasi-judicial tribunal proceeding; 


— the personal information is collected for law enforcement 
purposes; or 


— another collection manner has been authorized by statute or by 
the Commissioner. 


There is evidence on file that the individual to whom the personal 
information relates has been informed of: 


_ the legal authority for the collection; 
— the principal use for the information; and 


_ the title/address/telephone number of the public official to whom 
inquiries may be directed. 
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Personal Information Banks 


Criterion: 


e) - 


f) 


g) 


h) 


A. 


This notification is on the master or original form used to collect the 
personal information. 


When personal information has been collected from a source other than 
the individual, the individual has been given notice of this collection. 


When notice has not been given to an individual, there is evidence that: 
_ the responsible minister has waived this requirement, or 
— such notice could interfere in law enforcement matters 


When personal information is collected and has been used by or 
disclosed to another institution, the individual has been informed of: 


= the legal authority for the collection of information by the first 
institution; 


os the purpose for which it will be used by that institution; 


_ the address and phone number of the official in that institution 
to whom inquiries may be directed; and 


_ the fact that the information will be used by a second institution 
Personal information is kept on file for one year after the last use noted 
on the record of use. 


Where personal information has been disposed of prior to one year after 
last use, there is evidence of the individual’s consent to this action. 


There is a system to identify personal information, record its use, and report this 
information as required. 


Lines of Enquiry: 


a) 


b) 


c) 


All personal information in the custody or control of the institution is identified 
and included in a personal information bank. 


This process includes a mechanism both to update banks with new personal 
information for an individual, and to create new personal information banks as 
necessary. 


The institution has published an annual index of all personal information banks 
which contains the following required information: 
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d) 


e) 


f) 


SPA: 


- name and location of banks; 
_ legal authority for its establishment; 
— types of personal information contained; 


— principal uses of the persona! information, and typical categories of 
users; 


— other uses of the personal information; 
- categories of individuals for whom records exist; 


— policies and practices relating to storage, retention and disposal of 
personal information; and 


_ the title, business address and phone number of the official responsible 
for the operation of the personal information bank. 


A record of use is maintained for any use and disclosure of the personal 
information that is beyond the principal uses as defined in the personal 
information bank. 


There is a mechanism to ensure this record of use is attached or otherwise 
linked to (and becomes part of) the personal information, in’ a manner 
appropriate to the method used to store the information. 


When the personal information is accessed, this record of use also appears. 


Use of Personal Information 


Criterion: 


The institution’s use of personal information has respected the individual’s privacy and 
right to know how the information is being used. 


Lines of Enquiry: 


a) 


b) 


Cc) 


There is evidence that the individual has signed the consent form. 

The consent has been documented and dated, and includes: 

— an identification of the types of personal information; 

— the use for which the consent is given; and 

_ the institution to which the consent is given. 

The record of use indicates that the types of personal information have been 


used for the purpose for which it was obtained / compiled, or a consistent 
purpose. 
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d) This use correlates to the purpose described in the Directory of Records. 

e) Where personal information is used by the institution for a purpose other than 
that documented in the Directory of Records, this inconsistent use has been 
recorded. 

f) If the personal information has been used or disclosed for a use consistent with 


the purpose for which it was obtained, but the use was not listed in the index, 
the institution has: 


updated the index to include that use; and 


included this use/disclosure in the annual report to the Commissioner. 


Disclosure of Personal Information 


Criterion: 


There are controls to ensure that the disclosure of personal information meets 
the legislative conditions. 


Lines of Enquiry: 


a) 


b) 


The disclosure of information which is inconsistent with the disclosure 
statement in the Directory of Records is documented in the record of 
use, as is the purpose for the disclosure. 


The disclosure has been under one of the following conditions: 


in accordance with Part | of MFOIPPA ; 

if the individual’s consent has been obtained; 

to a government authority with authorization: the Chair of MBC, 
the Commissioner, the Government of Canada or the Office of 
the Provincial Auditor for auditing purposes, the Archives, 
Statistics Canada or to the Ombudsman; 

for compassionate or “compelling” circumstance; 

to a law enforcement institution or agency in aid of a law 
enforcement investigation leading to a law _ enforcement 
proceeding; 

to the Commissioner; 


by a law enforcement institution to a law enforcement agency; 


to the minister; 
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Cc) 


d) 


Retention of Records 


Criterion: 


ee 


— to comply with an Act of Legislature or Parliament or an 
agreement under it; 


— to an officer or employee of the institution who needs the record 
in the performance of his or her duties and it is necessary and 
proper in the discharge of the institution’s functions; 


_ for the purpose for which it was obtained or complied or for a 
consistent purpose; 


— to an MPP or bargaining agent with the individual’s consent. 


Where the personal information has been disclosed for "compelling" 
circumstances (affecting the health or safety of an individual), there is 
evidence that the required notification has been forwarded to the 
individual to whom the information relates within a reasonable period of 
time. 


Where the individual’s consent has been given, it is dated, identifies the 
personal information which may be disclosed, to whom, and the 
institution to which the consent is given. 


The institution has record-keeping systems that efficiently maintain and retrieve 
information. 


Lines of Enquiry: 


a) 


b) 


Cc) 


d) 


e) 


f) 


Personal information has been retained for at least one year from the 
date of last use as noted on the record of use in the file. 


Outdated personal information is revised, retained and available for a 
minimum of one year. 


Retention schedules based on standards of records management have 
been developed. 


The retention schedules have been implemented, and are monitored 
periodically to ensure compliance. 


Records retention requirements are communicated to appropriate staff 
in the institution. 


Clear lines of responsibility have been established to ensure 
requirements of records management are met. 
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Accuracy of Records 


Criterion: 


ar AS 


There is a process to ensure that program managers maintain accurate and 
current personal information. 


Lines of Enquiry: 


a) 


b) 


c) 


Correction to Records 


Criterion: 


The source of the personal information collected is noted in the file. 
Verification of personal information is documented, and retained on fiie. 


A process has been developed to ensure personal information that 
becomes outdated is identified, reviewed and updated on a timely basis. 


Individuals having access to their personal information have the opportunity to 
record corrections to, or disagreements with, that information . 


Lines of Enquiry: 


a) 


b) 


c) 


d) 


e) 


f) 


9) 


Individuals requesting corrections to their records of personal 
information have had access to their personal information. 


Requests relate to factual information or opinions expressed by the 
individual. 


Requests are documented and kept on file. 


The decision regarding the requested correction has been made by the 
Head or delegate, and has been documented. 


Where the requested correction is made, the information has been 
verified, documentation substantiating the correction reviewed, and this 
review is noted in the file. 

The institution’s response to the request for correction of personal 
information is made in writing and on a timely basis, and a copy retained 
on file. 


Where the institution’s response indicates that the correction has been 
made, the individual has been: 


_ provided with a copy of the corrected record; and 


aoe 


h) 


Disposal of Records 


Criterion: 


29 


— notified of the right to have people to whom the personal 
information has been disclosed in the previous 12 months 
informed of the correction. 


Where the institution’s response indicates that the correction will not be 
made, the individual has been: 


— informed of the reason(s); 
= notified of the right to appeal the decision; 


_ notified of the right to have a statement of disagreement 
appended to the personal information record; and 


os notified of the right to have the statement of disagreement 
forwarded to people to whom the personal information has been 
disclosed in the previous 12 months . 


There is evidence that, if requested, the responsible staff has forwarded 
corrections or statements of disagreement regarding records of personal 
information to individuals noted on the relevant record of use. 


There are processes in place to ensure efficient and prompt disposal of records 
when their administrative, legal and fiscal value has ceased, in accordance with 
retention schedules. 


Lines of Enquiry: 


a) 


b) 


Cc) 


d) 


Persona! information that has been used by the institution is retained for 
the shorter of one year after use or the period set out in a by-law or 
resolution made by the institution, unless the individual to whom the 
institution refers consents to its earlier disposal. 


Appropriate authorization (Head or delegate) is obtained prior to 
destruction of records. 


A dated record of disposal has been maintained which indicates what 
personal information has been destroyed. 


When records have been destroyed, they cannot be reconstructed: 
_ paper records have been burned, pulped or shredded; 


= magnetic media have been erased or written-over during reuse. 
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